00 


Tff 

o 

< 


T) 


STATE  OF  THE  PRIVACY  JiCT : AN  OVERVIEW  OF 

TECHNOLOGICAL  AND  SOCIAL  SCIENCE  DEVELOPMENTS 


> 0 


Willis  H./Ware 


OL. 


o 

o 


DISTRIBUTION  STATEMENT_A. 

Approved  foi  public  release; 
Distribution  Unlimited 


// 


P-5756 


The  Rand  Paper  Series 


Papers  are  issued  by  The  Rand  Corporation  as  a service  to  its  professional  staff. 
Their  purpose  is  to  facilitate  the  exchange  of  ideas  among  those  who  share  the 
author’s  research  interests;  Papers  are  not  reports  prepared  in  fulfillment  of 
Rand's  contracts  or  grants.  Views  expressed  in  a Paper  are  the  author's  own,  and 
are  not  necessarily  shared  by  Rand  or  its  research  sponsors. 

^The  Rand  Corporation 
Santa  Monica,  California  90406 


[ kcesim  m 1 

»nt 

nn«  twtiM  / Y J 

m 

(mi  s*c»i*  a 

wuMooitca 

□ 

JUSIlf ICATIOM...  _ . 

llVv 

Hm.  * 

< V 

IT 

iiSTSiMTioi/jiMtuiiurr  ma 

Gist. 

AVAIL.  ind/Of  SPECIAL  I 

ft 

• 

STATE  OF  THE  PRIVACY  ACT:  AN  OVERVIEW  OF 

TECHNOLOGICAL  AND  SOCIAL  SCIENCE  DEVELOPMENTS  * 


The  task  this  morning  is  to  describe  and  characterize  the  cause  of 
privacy,  show  where  the  issue  has  come  from,  what  forces  are  driving  it, 
and  to  persuade  you  that  the  issue  is  an  unavoidable  one  that  we  must 
face  as  a society  and  as  a country.  Finally,  I will  describe  briefly 
an  enlarged  set  of  topics  of  which  privacy  is  one.  There  is  similarity 
between  privacy  as  a social  issue  and  a story  that  speaks  about  the  great 
ape  strolling  across  the  veldt  one  moonlit  night.  He  glanced  up  and  de- 
cided that  it  would  be  a challenge  for  him  to  get  to  the  moon.  With  a 
thin  overcast  he  could  not  see  the  moon  too  clearly,  so  he  sought  the 
tallest  tree  in  the  neighborhood.  Having  climbed  to  the  top  to  get  a 
better  view,  he  still  could  not  see  his  goal  with  complete  clarity,  but 
he  mused  to  himself:  "At  least  my  project  is  off  the  ground."  Such  it 
is  with  privacy.  We  do  see  the  goals  of  privacy  reasonably  clearly;  we 
are  off  the  ground  with  it  through  federal  and  some  state  legislation,  but 
the  full  complexity  of  it  is  yet  to  be  understood.  Nor  do  we  comprehend 
everything  that  may  stand  between  where  we  are  and  where  we  will  have  to 
be,  but  unlike  getting  to  the  moon,  privacy  protection  is  not  a problem 
that  will  yield  to  science  and  technology,  although  of  course  it  does 
have  a large  technological  component. 

The  word  "privacy"  for  this  conference  is  to  be  understood  in  the  con- 
text of  record  keeping.  It  is  important  to  appreciate  this  is  a very  fast 
developing  subject  matter,  that  my  own  perceptions  and  insights  are  de- 
veloping almost  on  a daily  basis,  and  hence  I can  only  give  you  a snapshot 
of  things  as  they  now  stand.  How  did  we  get  where  we  are? 

In  part,  the  present  situation  arises  from  the  fast  pace  of  computer 
technology  and  the  interaction  of  that  technology  with  the  information 


* f 

This  keynote  talk  was  presented  to  the  University  of  Southern  California 
Conference  entitled  "Expanding  the  Right  to  Privacy:  Research  and  Legislative 
Initiatives  for  the  future,"  held  in  Washington,  D.C.  on  October  14,  1976. 


DISTRIBUTION  ST ATTMJ.  XV  " 

Approved  for  public  n ':c 
Distribution  Unlimiud 


- 2 - 


demands  of  contemporary  society.  One  needs  a full  appreciation  and  under- 
standing of  what  computer  technology  has  accomplished  in  its  short  history 
in  order  to  realize  what  has  happened — largely  not  visible — and  what  is 
before  us.  As  has  been  pointed  out,  when  something  changes  by  a factor 
of  10  fundamental  new  effects  will  be  created,  and  new  problems  will  emerge.** 
The  phenomenon  is  easy  to  appreciate  in  terms  of  transportation;  from  walking 
to  the  automobile  is  roughly  a factor  of  10,  from  the  automobile  to  the  jet 
airplane  is  roughly  another  factor  of  10,  and  we  all  comprehend  the  implica- 
tions that  stem  from  a hundred  fold  Increase  in  capability  to  get  from  one 
place  to  another.  One  goes  on  vacation  to  places  of  his  choice;  one  has 
conferences  like  this  anywhere  with  people  from  everywhere;  one  finds  fresh 
food  from  all  over  the  country — and  world — in  the  market;  one  encounters  a 
new  phenomena  known  as  jet  lag  and  its  implications  for  good  decision  making 
and  for  research  into  bio-rhythms. 

Furthermore,  from  walking  to  the  fastest  supersonic  aircraft,  there  is 
roughly  a factor  of  a thousand,  about  two  miles  an  hour  to  2000  miles  an 
hour.  Extrapolating  to  orbital  speeds*  at  roughly  20,000  miles  an  hour, 
there  is  another  factor  of  ten.  Overall  transportation  speeds  have  in- 
creased about  10,000  fold.  It  is  not  likely  that  another  factor  of  10  can 
be  obtained.  Transportation  technology  is  at  a plateau  so  far  as  speed 
advance  is  concerned.  By  contrast,  computers  started  out  in  the  40' s doing 
things  one  a second,  and  now  machines  routinely  do  operations  at  a million 
or  so  per  second.  In  contrast  to  the  10,000  fold  increase  in  transportation 
technology,  there  is  already  a million  fold  increase  in  computer  capability 
and  it  has  not  and  will  not  stop.  With  technology  that  is  already  under- 
stood, and  is  routinely  dealt  with  in  the  research  world,  there  is  at  least 
another  factor  of  a 100  and  perhaps  another  factor  of  a 1000  yet  to  go 
before  we  even  have  to  look  for  something  wholly  new.***  In  contrast  to 
most  things  that  change  by  a few  factors  of  10  over  many  decades,  computer 
technology  has  changed  by  six  or  even  eight  factors  of  10  in  two  and  a half 
decades. 

A second  comment  about  the  computer.  The  correct  perception  of  it  is 
that  of  a device  that  contains  a set  of  rules — called  a computer  program — and 
that  operates  on  some  set  of  information.  By  way  of  illustration,  if  the 

** 

Impact  of  Computers,  R.W.  Hamming,  American  Mathematical  Monthly, 

Volume  72,  No.  2. , Part  2,  pp  1-7,  February  1965. 

*** 

The  Ultimate  Computer,  W.  H.  Ware,  Spectrum  of  the  IEEE,  Volume  9, 

No. 3,  pp  84-91,  March  1972. 


information  is  financial  data  and  the  rules  are  those  of  accounting,  the 
computer  is  doing  accounting;  if  the  Information  is  positions  on  a board 
and  the  rules  are  those  of  checkers,  it  is  playing  a game;  if  the  infor- 
mation concerns  aircraft  flights  and  seats  on  flights  and  the  rules  are 
those  for  assigning  seats  and  keeping  track  of  them,  then  the  computer 
is  running  a reservation  service;  if  the  information  is  that  of  temper- 
atures or  pressures  or  flows  of  liquids  in  a petrochemical  plant  and  the 
rules  are  those  of  the  chemistry  of  petroleum,  the  computer  is  running 
a refinery.  If  one  can  construct  a set  of  rules  completely  and  accurately 
for  some  function,  then  the  computer  can  take  over  the  job.  Thus,  between 
its  staggering  growth  in  capability — the  factor  of  a million  or  the  hundred 
million  coming — and  the  flexibility  to  store  and  manipulate  all  kinds  of 
information,  it  is  little  wonder  that  the  computer  has  become  so  ubiquitous, 
become  so  pervasive  in  the  affairs  of  people,  and  the  affairs  of  organiza- 
tions and  government  and  education.  1 will  note  parenthetically  that  it  is 
only  the  beginning;  there  are  presently  unknowable  surprises  ahead.  One 
surprise  of  recent  years  has  teen  the  astounding  proliferation  of  the  hand 
calculator,  completely  unperceived  five  years  ago.  Electronic  fm.d  trans- 
fer systems  are  being  installed;  there  are  computers  in  washing  machines  and 
computers  in  automobiles  and  computers  in  the  home. 

A rapidly  emerging  and  enormously  flexible  technology  has  intersected 
with  the  information  requirements  of  a modern  country.  The  United  States 
and  the  world  reflect  an  environment  that  demands  vast  amounts  of  informa- 
tion to  make  it  run.  This  is  not  a capricious  or  an  evil  development,  but 
rather  it  reflects  a genuine  need  driven  by  such  things  as  the  size  of 
this  country  (200  plus  million  people  leading  a very  complex  life  style 
creating  multiple  data  trails  in  their  dally  affairs),  the  size  of  our 
social,  government  and  educational  institutions,  the  large  social  programs 
that  function  at  the  government  level,  and  the  accountability  that  goes 
with  each  of  them.  In  these  and  other  examples,  information  is  the  universal 
commodity  that  makes  everything  function.  In  fact,  information  is  the  thing 
that  makes  each  of  us  as  a biological  organism  operate.  When  a technology 
appears  that  grows  by  enormous  factors,  that  finds  pervasive  application 
and  fills  an  essential  and  waiting  need,  it  is  inevitable  that  there  will 
be  an  enormous  impact  on  society  and  its  institutions.  It  is  inevitable 


- 4 - 


that  new  effects  will  happen  and  it  is  inevitable  that  some  of  these  new 
effects  will  lead  to  problems.  One  is  the  privacy  issue. 

Of  all  the  kinds  of  information  that  a computer  can  deal  with,  infor- 
mation about  people  is  one.  What  has  happened  in  the  last  ten  years  or  so, 
and  especially  in  the  last  five,  is  a large  scale  proliferation  of  record 
keeping  systems,  computer  based  and  dealing  with  information  about  people. 

In  the  large,  such  record  keeping  systems  are  not  visible  to  the  individual; 
they  do  things  with  information  about  people  that  are  unknown  to  them;  they 
make  determinations  about  individuals  in  ways  that  are  unperceived;  the 
information  in  them  is  used  in  ways  that  are  beyond  the  control  of  the 
data  subjects;  the  record  keeping  systems  acquire  information  from  diverse 
sources.  Therefore,  we  find  the  present  situation  to  be  this;  an  organiza- 
tion tends  to  use  information  for  whatever  it  wishes — internal  purposes, 
expedience,  profit,  convenience.  It  does  so  knowing  that  no  right  of 
ownership  exists  for  the  individual;  it  does  so  knowing  that  the  individual 
has  no  legal  standing  by  which  to  attempt  to  control  the  record  system. 
Moreover,  an  organization  tends  to  collect  whatever  information  it  wishes 
about  individuals  and  except  in  a very  few  rare  cases,  personal  information 
has  no  legal  protection  against  court  seizure.  We  have  a strongly  one- 
sided situation  in  which  all  the  chips  are  held  by  the  record  keeping  organi- 
zation. In  such  a circumstance,  there  are  numerous  opportunities  for  the 
individual  to  be  treated  unfairly,  either  carelessly  or  accidentally  or  de- 
liberately. It  is  as  though  our  society  used  fire  as  a technology,  but  had 
not  yet  invented  the  fire  department,  the  arson  squad,  or  fire  insurance. 

We  need  to  create  legal  and  institutional  safeguards  in  order  to  get  the 
privacy  situation  into  better  balance. 

Such  is  the  historical  downstream  perspective  on  informational  pri- 
vacy. It  is  now  possible  to  stand  back  and  identify  the  social  goals  we 
are  trying  to  serve  with  privacy  safeguards.  My  present  perception  of 
them  is  as  follows. 

o We  are  trying  to  assure  that  the  public  is  well  informed,  collec- 
tively and  individually,  on  record  keeping  matters  that  affect 
people  and  influence  citizens. 

o We  are  trying  to  strike  a balance  in  the  country  between  the 
genuine  and  well  founded  needs  of  government  and  the  private 


- 5 - 

sector  for  information  about  people  and  the  citizen,  and  the  right 
to  have  some  control  over  the  use  of  information  about  each  one. 
o We  are  trying  to  assure  fair  use  of  personal  information  when  it 
is  involved  in  making  a determination  about  an  individual.  To 
put  it  another  way,  we  are  trying  to  safeguard  individuals  against 
harm  or  damage  as  a result  of  the  functioning  of  some  record  keep- 
ing system. 

o We  are  trying  to  minimize  unnecessary  and  intrusive  information 
collection;  we  are  trying  to  safeguard  the  citizens  against  re- 
vealing information  about  himself  unnecessarily, 
o A somewhat  more  subtle  goal,  not  entirely  within  the  realm  of  pri- 
vacy— as  a country  we  are  trying  to  minimize  the  risk  of  creating 
an  all  encompassing  extensive  set  of  record  systems,  each  linked 
with  all  others,  that  would  make  usurpation  possible.  We  must 
minimize  the  risk  that  the  record  keeping  infrastructure  of  the 
country  will  upset  the  balance  of  power  and  the  present  structure 
of  government  and  society.  The  last  point  of  course  is  related  to 
the  social  question  of  the  universal  personal  identifier,  plus  the 
role  of  the  social  security  number  as  one  such.  To  recast  the 
final  point  in  a different  metaphor,  we  as  a country  must  take 
care  not  to  create  the  information  analog  of  Dr.  Frankstein's 
monster.  We  must  not  create  an  ensemble  of  record  keeping  systems 
over  which  we  do  not  have  complete  control.  So  to  speak,  we  must 
be  able  to  pull  the  plug  if  it  ever  becomes  necessary. 

As  a subject  of  discourse  and  discussion,  the  privacy  issue  emerged 
as  such  in  the  early  70' s with  the  books  of  Alan  Westin,  Arthur  Miller  and 
James  Rule.  The  subject  came  into  sharp  focus  when  Secretary  Richardson 
(then  of  DHEW)  created  his  special  advisory  committee  on  automated  personal 
data  systems.  The  report  of  the  group,  "Records,  Computers,  and  the  Rights 
of  Citizens"  was  published  in  July  of  1973,  and  has  turned  out  to  be  the 
definitive  treatment  of  privacy  that  has  strongly  influenced  nearly  every- 
thing that  has  happened  subsequently.  The  report  was  not  only  a comprehen- 
sive discussion  of  the  subject,  but  it  made  a number  of  important  conceptual 
advances.  One  was  the  notion  of  fairness  in  the  use  of  personal  information; 


r 


- 6 - 

another,  the  concept  of  mutual  interest  as  it  relates  to  the  interaction 
between  a data  subject  and  a record  system — both  sides  have  a stake  in  the 
interaction.  Another  advance  was  the  set  of  principles  that  formed  a 
general  framework  for  the  information  interface  between  people  and  record 
systems.  The  report  introduced  the  concept  of  fair  information  practice 
and  was  even  so  bold  as  to  suggest  a code  to  implement  it.  From  it  came 
the  Privacy  Act  ol  1974  which  is  an  omnibus  legislative  approach  in  the 
sense  that  the  Act  throws  a broad  umbrella  of  agency  behavior  and  citizen 
rights  over  all  federal  record  keeping  systems.  There  is  a mechanism  to 
exempt  a system  from  the  requirements  of  the  Act,  but  the  procedure  and 
the  reasons  are  in  public  view. 

In  addition,  there  have  been  other  legislation  that  has  dealt  with 
specific  aspects  of  privacy:  the  Fair  Credit  Reporting  Act,  the  Fair 

Credit  Billing  Act,  the  Equal  Opportunity  Employment  Act,  and  the  Equal 
Opportunity  Credit  Act.  Each  addressed  the  collection  and  use  of  informa- 
tion in  a specific  area,  and  each  defined  "harm"  in  terms  of  a negative  but 
unfair  determination  about  an  individual.  In  contrast  to  the  omnibus 
approach  of  the  1974  Act,  each  is  a "rifle  shot"  approach.  There  are 
various  state  laws  of  similar  kinds. 

Moreover,  the  1974  Act  created  the  Privacy  Protection  Study  Com- 
^ mission,  whose  work  is  presently  in  progress  and  which  is  scheduled  to 
complete  its  task  in  June,  1977.  In  less  than  a yee . , we  are  to  make 
recommendations  to  the  Congress  and  to  the  President  on  the  next  step, 
legislative  or  otherwise.  Of  course,  very  high  on  our  list  is  the  entire 
private  sector  and  the  question  of  what  safeguards,  if  any,  should  be 
legislated  for  it.  We  have  held  hearings  on  most  major  types  of  record 
keeping  systems.  We  are  beginning  to  deliberate  and  discuss  and  debate 
what  we  have  heard.  We  are  trying  to  understand  the  problems  that  are 
common  from  one  area  of  record  keeping  to  another,  and  trying  to  perceive 
remedies  and  quite  another  to  balance  them  off  against  cost,  and  reach  a 
judgement  on  whether  the  remedy  justifies  the  cost. 

At  this  point  in  time,  we  the  Commission  do  not  have  any  preconceived 
position  on  whether  the  omnibus  approach  or  a specific-area  approach  is 
to  be  preferred,  or  either.  One’s  intuition  suggests  that  some  combination 
might  be  better.  We  have  not  decided  whether  the  thrust  of  the  '74  Act  is 

j 


- 7 - 

appropriate  to  the  private  sector  or  needs  amendment  for  the  public  sector. 

We  have  no  position  on  H.R.  1984,  a comprehensive  omnibus  bill  for  the  pub- 
lic and  private  sector.  We  are  just  beginning  the  synthesis  aspect  of  our 
research.  I am  beginning  to  appreciate  that  the  Privacy  Commission  will 
not  exhaust  the  problem  and  that  there  is  a much  larger  issue  that  I can 
now  understand  somewhat.  I don't  have  an  appropriate  name  for  it,  but  it 
is  something  like  "public  policy  on  information" — privacy  is  one  aspect  of 
it.  I can  share  with  you  my  insight  such  as  it  is  at  the  moment,  but  I 
know  that  it  is  incomplete  and  may  well  change. 

There  is  an  obvious  aspect  that  has  to  do  with  right  of  ownership.  Do 
we  need  a right-of-ownership  status  for  information  about  oneself?  In  a 
way,  the  problem  has  surfaced  already  in  the  reexamination  of  the  copyright 
law.  In  another  instnace,  a hospital  owns  its  records  under  California  law; 
my  name  is  on  one  or  more  such  records  but  I think  that  it  is  quite  clear 
that  the  hospital  does  not  own  my  name.  It  is  clear  that  I am  free  to  use 
my  name  as  I always  have.  What  does  ownership  mean  in  the  sense  of  infor- 
mation? Specifically,  what  does  ownership  of  personal  information  mean? 

The  computer  has  exacerbated  the  difficulty  because  the  same  item  of  infor- 
mation can  appear  as  holes  in  a punched  card,  on  a piece  of  magnetic  tape, 
as  a pattern  of  electrical  voltages  inside  the  computer,  or  as  a strip  of 
printed  paper.  The  representation  of  information  changes,  but  the  informa- 
tion per  se  does  not.  What  is  it  that  one  owns? 

An  airline  reservation  system,  an  electronic  bank  terminal,  and  a 
point-of-sale  system  such  as  found  in  a super-market  share  an  interesting 
common  characteristic;  each  one  captures  data  about  an  aspect  of  human  be- 
havior. Each  knows  something  about  the  whereabouts  of  an  individual,  or 
his  buying  habits,  or  his  buying  preferences,  or  his  financial  habits; 
therefore,  by  inference  at  least,  there  is  an  overtone  of  surveillance. 

Such  systems  were  not  created  to  play  such  a role;  to  do  its  function 
each  captures  information  about  people.  Nonetheless  there  is  created  a 
body  of  information  that  is  exploitable  for  surveillance  purposes  if 
someone  is  so  inclined  and  that  is  bound  to  be  of  interest  to  many  parties 
and  organizations  in  and  out  of  government.  Perhaps  we  need  a public  policy 
for  information  of  such  kind  to  make  certain  that  it  does  not  fall  into 
unintended  surveillance  or  undesirable  collateral  usage. 

h 

* i • 

k.- __  ___ A 


- 8 - 


A third  possibility.  When  a physician  treats  a patient,  he  records  both 
facts  about  health  status  and  laboratory  findings  of  the  patient,  but  he 
also  records  his  own  view,  insights  and  conjectures  about  the  case.  The 
comment  is  especially  true  for  the  psychiatrist  or  the  psychologist.  The 
two  kinds  of  information  are  fundamentally  different;  one  is  very  factual 
and  the  other  conjectural,  anecdctal,  or  episodic.  One  kind  records  his- 
torical progress  of  the  patient  through  a medical  treatment;  the  other 
assists  the  physician  in  his  management  of  the  patient  through  a course  of 
treatment.  Education  records  have  a similar  characteristic.  Educational 
records  contain  largely  factual  information  that  documents  the  historical 
progress  of  a student  through  the  education  system — his  achievements,  his 
grades,  his  courses.  Education  records,  especially  in  the  public  schools, 
often  contain  anecdotal  information  put  there  by  teachers,  supervisors  or 
administrators.  The  intent  of  the  latter  is  to  assist  the  school  system 
in  managing  the  student  as  he  progresses  through  the  system.  There  is  a 
parallel  between  educational  records,  medical  records  and  mental  health 
records.  Perhaps  we  need  a public  policy  that  distinguishes  clearly  that 
one  kind  of  information — the  factual  one — can  be  used  in  particular  ways 
and  controlled  in  appropriate  ways,  but  that  the  other  enjoys  a special 
protected  status,  so  that  unfounded,  conjectural,  or  untrue  information 
does  not  leak  out  and  inadvertently  cause  harm. 

To  put  the  last  point  in  perspective  let  me  note  that  other  kinds  of 
record  systems  collect  information  about  people  for  quite  different  pur- 
poses,  not  to  manage  the  passage  of  an  individual  through  a system.  Some 
record  systems  collect  information  because  they  provide  a service — the 
airline  reservation  system.  Other  record  systems  collect  data  because  a 
determination  about  individuals  is  to  be  made  only  once — An  insurance  com- 
pany record  system  collects  information  to  decide  whether  to  issue  a policy 
but  having  made  the  decision,  for  all  practical  purposes  the  record  has  no 
presently  perceived  future  need.  It  is  kept  on  the  expectation  that  it 
might  be  needed  in  the  future,  not  because  it  clearly  will  be  needed. 

Such  is  the  broad  panoply  of  information  policy  issues  that  I see 
ahead.  We  in  the  Privacy  Commission  have  not  even  thought  about  them, 
much  less  examined  them  in  depth.  As  a country,  we  have  a lot  of  privacy 
Issues  ahead  of  us.  Given  the  information  requirements  of  a modern  society 


in  a contemporary  country,  and  given  the  growing  affluence  of  society  and 
given  the  invention  of  the  computer  at  just  the  right  time,  it  was  in- 
evitable that  the  whole  set  of  concerns  that  we  call  privacy  would  emerge. 

It  had  to  happen  and  we  must  face  it  as  a social  issue.  Our  whole  culture 
and  our  government  heritage  is  one  of  checks  and  balances;  the  record 
keeping  situation  now  doesn't  have  them.  We  do  not  have  the  safeguards 

that  properly  ch^ck  nor  balance  the  many  ways  in  which  record  keeping 

V 

systems  use  information  that  has  been  collected  about  people. 

To  summarize.  Privacy  is  a problem  of  many  dimensions,  even  for  the 
limited  context  in  which  this  conference  will  examine  it.  It  is  a complex 
issue,  but  one  set  in  a much  broader  information  policy  issue,  jk  Remarkably, 
we  seem  to  be  on  top  of  the  problem;  that  is  both  pleasing  and ■ satisfying. 

If  we  really  are  not  wholly  in  command  of  it,  at  least  the  problerh  is  not 
yet  too  big.  We  have  a chance  to  avoid  in  record  keeping  practices  the 
analog  of  environmental  pollution.  One  should  derive  some  satisfaction  from 
knowing  that  after  this  country  has  spent  200  years  learning  how  to  make 
itself  work,  for  once  we  seem  to  be  satisfactorily  ahead  of  a problem. 


